Virtual machine backup

ABSTRACT

A computer system comprises a processor unit arranged to run a hypervisor running one or more virtual machines; a cache connected to the processor unit and comprising a plurality of cache rows, each cache row comprising a memory address, a cache line and an image modification flag; and a memory connected to the cache and arranged to store an image of at least one virtual machine. The processor unit is arranged to define a log in the memory and the cache further comprises a cache controller arranged to set the image modification flag for a cache line modified by a virtual machine being backed up, but not for a cache line modified by the hypervisor operating in privilege mode; periodically check the image modification flags; and write only the memory address of the flagged cache rows in the defined log.

CLAIM OF PRIORITY

This application is a continuation application of and claims priorityfrom U.S. patent application Ser. No. 14/903,833, filed Jan. 8, 2016,which is a 371 of International Application IB2014/062822, filed Jul. 3,2014, which claims priority from GB Patent Application No. 1312417.7,filed Jul. 11, 2013.

FIELD OF THE INVENTION

The present invention relates to methods, computer systems, and computerprogram products for data processing.

BACKGROUND

Virtualization is commonly applied on computer systems to improve therobustness of the implemented computing architecture to faults and toincrease utilization of the resources of the architecture. In avirtualized architecture, one or more processor units, for exampleprocessors and/or processor cores, of the computer system act as thephysical hosts of virtual machines (VMs), which are seen by the outsideworld as independent entities. This facilitates robustness of thearchitecture to hardware failures, as upon a hardware failure, a VMpreviously hosted by the failed hardware may be passed over to anotherhost, without the user of the virtual machine becoming aware of thehardware failure. This concept is an important facilitator of so-called‘high availability’ of a service provided by such a VM.

Implementing a switch between two different hardware resources as aresult of a failure is not a trivial task, as the VM ideally should berelaunched in a state that is identical to the state of the VM at thepoint of the hardware failure to avoid inconvenience to the user. In oneapproach, this is provided by running multiple copies of a single VM inlock-step on different entities, for example different physical servers,such that upon the failure of one entity another entity can take overthe responsibility for hosting the VM. A significant drawback of suchlock-step arrangements is that processing resources are consumed by afailover copy of a VM, thus reducing the available bandwidth of thesystem, i.e. reducing the total number of VMs that can be hosted by asystem.

In another approach commonly found in commercial products, a physicalhost responds to a failure of another physical host by simply rebootingthe VM from a shared disk state, for example a shared image of the VM.This however increases the risk of disk corruption and the loss of theexposed state of the VM altogether.

A different failover approach is disclosed in “Remus: High Availabilityvia Virtual Machine Replication” by Brendan Cully et al. in NSDI'08Proceedings of the 5th USENIX Symposium on Networked Systems Design andImplementation, 2008, pages 161-174. In this approach, all VM memory isperiodically marked as read only to allow for changes to the VM memoryto be replicated in a copy of the VM memory on another host. In thisread-only state, a hypervisor is able to trap all writes that a VM makesto memory and maintain a map of pages that have been dirtied since theprevious round. Each round, the migration process atomically reads andresets this map, and the iterative migration process involves chasingdirty pages until progress can no longer be made. This approach improvesfailover robustness because a separate up-to-date image of the VM memoryis periodically created on a backup host that can simply launch areplica of the VM using this image following a hardware failure of theprimary host.

However, a drawback of this approach is that as the VM remainsoperational during the read-only state of its VM memory, a large numberof page faults can be generated. In addition, this approach does notallow for the easy detection of which portion of a page has beenaltered, such that whole pages must be replicated even if only a singlebit has been changed on the page, which is detrimental to the overallperformance of the overall architecture, as for instance small pagesizes have to be used to avoid excessive data traffic between systems,which reduces the performance of the operating system as the operatingsystem is unable to use large size pages.

U.S. Pat. No. 5,893,155 discloses a digital computer memory cacheorganization implementing efficient selective cache write-back, mappingand transferring of data for the purpose of roll-back and roll-forwardof, for example, databases. Write or store operations to cache linestagged as logged are written through to a log block builder associatedwith the cache. Non-logged store operations are handled local to thecache, as in a writeback cache. The log block builder combines writeoperations into data blocks and transfers the data blocks to a logsplitter. A log splitter demultiplexes the logged data into separatestreams based on address.

In short, the above approaches are not without problems. For instance,during suspension of the VM, the cache is sensitive to page faults asthe cache is put into a read-only state, as previously explained.Furthermore, large amounts of data may have to be stored for eachcheckpoint, which causes pressure on the resource utilization of thecomputing architecture, in particular the data storage facilities of thearchitecture.

BRIEF SUMMARY OF THE INVENTION

According to a first aspect of the present invention, there is provideda computer system comprising a processor unit arranged to run ahypervisor running one or more virtual machines; a cache connected tothe processor unit and comprising a plurality of cache rows, each cacherow comprising a memory address, a cache line and an image modificationflag; and a memory connected to the cache and arranged to store an imageof at least one virtual machine; wherein the processor unit is arrangedto define a log in the memory; and the cache further comprises a cachecontroller arranged to set the image modification flag for a cache linemodified by a virtual machine being backed up, but not for a cache linemodified by the hypervisor operating in privilege mode; periodicallycheck the image modification flags; and write only the memory address ofthe flagged cache rows in the defined log.

BRIEF DESCRIPTION OF THE DRAWINGS

Particular embodiments of the present invention will now be described,by way of example only, with reference to the following drawings, inwhich:

FIG. 1 schematically depicts a computer system according to anembodiment of the present invention;

FIG. 2 schematically depicts an aspect of a computer system according toan embodiment of the present invention in more detail;

FIGS. 3a and 3b schematically depict another aspect of a computer systemaccording to an embodiment of the present invention in more detail;

FIG. 4 schematically depicts a flow chart of an aspect of a method ofupdating computer system according to an embodiment of the presentinvention;

FIG. 5 schematically depicts a flow chart of another aspect of a methodof updating computer system according to an embodiment of the presentinvention;

FIG. 6 schematically depicts a flow chart of another aspect of a methodof updating computer system according to another embodiment of thepresent invention; and

FIG. 7 schematically depicts a computer cluster according to anembodiment of the present invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

According to an aspect of the present invention, there is provided amethod of operating a computer system comprising a processor unitarranged to run a hypervisor running one or more virtual machines; acache connected to the processor unit and comprising a plurality ofcache rows, each cache row comprising a memory address, a cache line andan image modification flag; and a memory connected to the cache andarranged to store an image of at least one virtual machine; the methodcomprising the steps of defining a log in the memory; setting the imagemodification flag for a cache line modified by a virtual machine beingbacked up, but not for a cache line modified by the hypervisor operatingin privilege mode; periodically checking the image modification flags;and writing only the memory address of the flagged cache rows in thedefined log.

In the computer system of the present invention, a hypervisor isarranged to host a VM as well as act as a VM image replication managerto create a replica of a VM image in another location, for example inthe memory of another computer system. As all changes made to an imageof an active VM by the processor unit hosting the VM will travel throughits cache, it is possible to simply log the memory address associatedwith a dirty cache line. To this end, the cache rows include an imagemodification flag that signal the modification of a cache line by theexecution of the VM, and therefore signal a change to the VM image,which has the advantage that the memory addresses of the dirty cachelines can be written to the log without requiring the expulsion of thedirty cache lines from the cache at the same time, which would be thecase if the relevant memory addresses would be identified on the basisof a dirty bit tag used to write modified cache lines to the memory ofthe computer system instead. Hence, the use of an additional bit flagthat signals modification of a cache line by execution of a VM ensuresthat the memory addresses of the thus modified cache lines can bewritten to the log without at the same time requiring the cache lines tobe flushed from the cache, thus significantly reducing the amount ofdata that needs to be transferred from the cache when updating the log.However, the image modification flag is only set if the change to acache line is caused by a virtual machine operation that relates to avirtual machine being backed up. If the change to a cache line is causedby a virtual machine that is not been backed up or as the result of thehypervisor operating in privilege mode, then the image modification flagis not set. This reduces the amount of unnecessary data that is backedup at a checkpoint.

Advantageously, the processor unit is arranged to run multiple executionthreads, in a technique commonly referred to as “SimultaneousMultithreading (SMT)”, and the hypervisor is arranged to maintain athread mask flagging those threads that relate to one or more virtualmachines being backed up and when setting the image modification flagfor a cache line modified by a virtual machine being backed up, refersto the thread mask to determine whether to set the image modificationflag to determine whether to set the image modification flag for thecurrent cache line being modified. In a particular embodiment, eachcache row further comprises a thread ID indicating which executionthread is responsible for modification of the cache line in therespective cache row.

In a particular embodiment, a single bitfield register, called thethread mask, is introduced on each processor unit, with a number of bitsequal to the number of hardware threads supported by that unit, andhypervisor-privileged operations added to set those bits. The hypervisor(which knows which virtual machines are running on which hardwarethreads) sets the associated bits in the thread mask for the hardwarethreads that are running virtual machines that require checkpoint-basedhigh-availability protection. A new field, thread ID is added alongsidethe image modification flag on every cache line. It is sufficientlylarge to contain the ID of the hardware thread that issued the storeoperation (i.e. two bits if four hardware threads are supported). When astore is performed, the image modification flag is now set in the cache,only if the store was not executed when running in the hypervisorprivilege mode and if the thread mask bit corresponding to the currentlyexecuting hardware thread is set. As well as setting the imagemodification flag, these store operations can also write the ID of thehardware thread that issued the store to the cache line's new thread IDfield. When cache lines are logged during a cast-out, snoop interventionor cache-clean operation, the contents of the thread ID field associatedwith the cache line are also written to the log or as an alternative thethread ID directs the log record to a different log, depending on thevalue of the thread ID, with the processor core capable of storingposition and size information for multiple logs. When this alternativeis used, it is not necessary to write the thread ID field to the log.

These enhancements allow multiple virtual machines to execute on asingle processor unit concurrently, with any number of them running withcheckpoint-based high-availability protection. The presence of thethread ID in the logs, coupled with the hypervisor's existing notion ofwhich virtual machines are currently running on which processor coresand hardware threads is sufficient to allow the secondary host (thememory location where the backup image is stored) to update the correctvirtual machine memory image on receipt of the logs.

The cache controller typically is further adapted to write the memoryaddress of a flagged cache line in the defined log upon the eviction ofsaid flagged line from the cache to capture flagged changes to the VMimage that no longer are guaranteed to be present in the cache duringthe periodic inspection of the image modification tags.

In a particular embodiment, the computer system is further arranged toupdate a further image of the virtual machine in a different memorylocation by retrieving the memory addresses from the log; obtaining themodified cache lines using the retrieved memory addresses; and updatingthe further image with said modified cache lines, such that the loggedmemory addresses are used to copy only the altered data of the primaryimage to the copy of the VM image, which copy may for instance belocated on another computer system.

In this manner, VM images may be synchronized without the need to incuradditional page faults and reduces the traffic between systems due tothe smaller granularity of the data modification, i.e. cache line-sizerather than page size and due to the fact that the VM is suspendedduring image replication, thus obviating the need for page protection.This approach is furthermore page size-agnostic such that larger pagesizes can be used than for instance is the case in the Remus approach.Moreover, the additional hardware cost to the computer system isminimal; only minor changes to the cache controller, for example to thecast-out engine and the snoop-intervention engine of the cachecontroller, and to the cache rows of the cache are required to ensurethat the cache controller periodically writes the memory address of thedirty cache line in the log by periodic inspection of the imagemodification flag during the execution of the VM.

The computer system may replicate data from the primary VM image to acopy in push or pull fashion. In a push implementation, a processor unitfrom the same computer system, for example the processor unit runningthe VM or a different processor unit, may be also responsible, undercontrol of the hypervisor, for updating the copy of the image of the VMin the different memory location, which may be a memory location in thememory of the same computer system or a memory location in the memory ofa different computer system. In a pull implementation, a processor unitof a different computer system may be adapted to update the copy of theVM image in the memory location on this different computer system bypulling the memory addresses and associated modified cache lines fromthe computer system hosting the VM.

The cache may include a write-back cache, which may form part of amulti-level cache further including a write-through cache adapted towrite cache lines into the write-back cache, wherein only the cache rowsof the write-back cache comprise the flag. As by definition the cachelines in a write-through cache cannot get dirty because cache linemodifications are also copied to a write-back cache, only the write-backcaches need inspecting when periodically writing the memory addresses tothe log.

In a particular embodiment, the log which stores the addresses ofchanged cache lines is a circular buffer and the system comprises aplurality of registers adapted to store a first pointer to a wrap-aroundaddress of the circular buffer; a second pointer to the next availableaddress of the circular buffer; a third pointer to an initial address ofthe circular buffer; and the size of the circular buffer; and the cachecontroller is adapted to update at least the second pointer followingthe writing of a memory address in the log. This is a particularlyadvantageous embodiment of the log, as the size of the log is definedprior to its use, thus avoiding conflicts in (the system) memory, andfacilitating monitoring of the fill level of the log by the replicationmanager such that the replication manager can invoke the synchronizationmode for updating the secondary VM if the fill level of the logapproaches the capacity of the log, i.e. when the log is almost full. Inthis embodiment, the processor unit or the cache controller may comprisededicated registers that are accessible to the cache controller and thatallow for the monitoring of the fill level of the circular buffer, forexample by the cache controller or by the hypervisor.

In a particular embodiment, each processor unit is configured todeduplicate the memory addresses in the log prior to the retrieval ofthe addresses from the log. This reduces the amount of time required forsynchronizing data between the memories respectively comprising theimage of the VM and its copy because it is ensured that the altered datain a logged memory location is copied once only, thus further reducingthe amount of time the primary VM is suspended. In this manner, the logis updated with the memory addresses of the modified cache lines withoutthe need to flush the modified cache lines from the cache at the sametime, thus providing a method in which VM image replication data isgenerated at minimal data bandwidth.

The processor unit typically further performs the step of writing thememory address of a flagged cache line in the defined log upon theeviction of said flagged line from the cache to capture flagged changesto the VM image that no longer are guaranteed to be present in the cacheduring the periodic inspection of the image modification tags.

FIG. 1 schematically depicts a computer system 100. The computer system100 comprises a plurality of processor units 110 for hosting one or morevirtual machines. In FIG. 1, four processor units 110 a-110 d are shownby way of non-limiting example only; it should be understood that thecomputer system 100 may comprise any suitable number of processor units.A processor unit is a unit of hardware that is capable of (pseudo-)autonomous execution of a computer program code, such as a processor,microprocessor or a core of a processor or microprocessor comprising aplurality of such cores. Each processor unit 110 can be arranged to runa hypervisor, which is a software component that enables the provisionof the virtual machine(s) to external users.

Each processor unit 110 further is connected to and has access to acache 120, which comprises a cache controller 122 in addition to a poolof entries 124, with each entry including a cache line and one or moretags. Any suitable cache architecture may be used, for example a singlecache or several levels of cache, such as a level-1 cache, a level-2cache and a level-3 cache or suitable subsets thereof. The cache 120 mayreside in any suitable location. For instance, the cache 120 may belocated on or in the vicinity of the processor unit 110 to ensure asignificant reduction in data retrieval latency as is well-known per se.

In the embodiment shown in FIG. 1, each processor unit 110 has access toa dedicated cache 120. Four caches 120 a-d are shown by way ofnon-limiting example only, one for each of the respective processorunits 110 a-d. However, it should be understood that any suitableconfiguration may be chosen, for example a configuration in which aprocessor unit 110 has access to multiple caches 120, which may beorganized in a hierarchical structure, for example a combination of alevel-1, level-2 and level-3 cache, as previously explained.

Each processor unit 110 is typically communicatively coupled to busarchitecture 130 through its respective cache 120, at least at afunctional level. This means that any access of data by a processor unit110 will involve its cache 120, as is commonly the case in such computersystems 100. The exact nature and connectivity of the bus architectureis not particularly relevant to the present invention, and it sufficesto say that any suitable bus architecture 130 may be chosen.

The computer system 100 further comprises a memory 140 coupled to thebus architecture 130, which again may take any suitable form, forexample a memory integrated in the computer system or a distributedmemory accessible over a network. The memory 140 is connected to thecaches 120. The memory 140 may be volatile memory or a non-volatilememory. Many other suitable embodiments of such a memory 140 will beapparent to the skilled person. Although not shown, the computer system100 may comprise additional components such as one or more networkinterfaces, input ports, output ports and so on, as is of coursewell-known to the skilled person.

The computer system 100 is adapted to host a one or more virtualmachines on the processor units 110, through the use of a hypervisor. Avirtual machine (VM) is a software representation of a computing devicecapable of hosting anything from a single computer program to a completeoperating system, and which may be present itself as a separate systemto the user of the computer system 100, such that the user has noawareness of the underlying computer system 100. For instance, in thecase of the computer system 100 embodying a local area network (LAN)server having a plurality of processors each comprising a number ofcores, the user accessing the LAN will be able to engage with theservices hosted by the VMs but will be unaware of the underlying server.These concepts are of course well-known per se and will not be explainedin further detail for the sake of brevity only.

One of the attractions of virtualization is improved robustness due tothe ability to provide failover between VMs, which means that should aVM fail for any reason, a backup VM is available that will continue toprovide the VM functionality to the user, without the user being awarethat the first VM failed. To this end, a copy of a VM is periodicallyupdated to ensure that the copy accurately represents the actual currentstate of the original VM in case the original VM exhibits a failure andwill have to fail over to the copy, as it is preferable that the one ormore users of the VM are unaware of the failover. The original VM willbe referred to as the primary VM and its copy will be referred to as thesecondary VM.

Such synchronization between the primary VM and the secondary VMrequires the temporary suspension of the primary VM to ensure that itsstate does not change during the synchronization. The duration of suchsuspension should be kept to a minimum to ensure that the one or moreusers of the VM are not noticeably affected by the temporary suspension.

To avoid such performance penalties, it is common practice to createdifferential checkpoints, in which only changes in the state of anentity since the last checkpoint are captured. Such checkpoints may begenerated by writing the address and data from a cache line to asecondary memory such as a level-2 cache or the system memory 140 assoon as the data in a cache line is altered, as for instance isdisclosed in U.S. Pat. No. 5,893,155 for the purpose of databaseroll-back. When using such checkpoint generation for VM replicationpurposes, it has the drawback that a large amount of data may beunnecessarily communicated during operation of the primary VM; forinstance, if a cache line of the cache 120 used by the primary VM isupdated multiple times during the operation mode of the primary VM,previous versions of the data in the cache line are unnecessarilywritten to the secondary memory as this ‘old’ data has become redundant.

An example architecture of the data storage part 124 of a cache 120 isshown in FIG. 2. The data storage part 124 comprises a plurality ofcache rows 1210, with each cache row 1210 including a tag 1212 which isthe address of the data in memory 140, a cache line 1214 and a number offlag bits. The flag bits comprise a valid bit 1215, which signals if thecache line 1214 is still relevant to the processor unit 110, a dirty bit1216, which signals if the cache line 1214 has been altered such that itneeds writing back to the address in memory 140 stored in the tag 1212,an image modification flag 1217 and a thread ID field 1218, which aredescribed in more detail below.

The cache rows 1210 of a cache 120 capable of containing dirty cachelines 1214 include the VM image modification bit flag 1217 that signalswhether the cache line 1214 is modified by a processor unit 110executing a VM that is being backed up. In other words, this flagsignals if the modified cache line 1214 forms part of a VM image forwhich a checkpoint based backup is operating. The cache controller 122will set both the dirty bit flag 1216 and the VM image modification flag1217 to true upon a write access of the cache line 1214 by the processorunit 110 during the execution of a VM that is being backed up. Thepurpose of this will be explained in more detail below.

The processor unit 110 hosting a primary VM typically includes areplication manager, which may be included in the design of thehypervisor, and/or which may be realized in hardware, in software, or acombination of hardware and software. The replication manager is adaptedto create a log in the system memory 140 for logging the memoryaddresses of the cache lines 1214 modified during the execution of theVM. Preferably, the data in the log is only accessible to thereplication manager of a processor unit including other processor units110 of the computer system 100 or processor units 110 of anothercomputer system 100 as will be explained in more detail later.

In a particular embodiment, the memory address log in the memory 140 hasa defined size and allocation to avoid corruption of the memory 140. Anysuitable implementation of such a log may be chosen. A particularlysuitable implementation is shown in FIG. 3a . In this embodiment, thelog is defined as a circular buffer 200 in the system memory 140, andhas a size 202 defined by the replication manager, which may be part ofthe hypervisor of the processor unit 110. The log 200 is designed tocomprise a plurality of memory addresses in memory locations 204. Aportion 206 is shown to indicate unused memory locations in the log 200.

In order to facilitate the management of the log 200 during theexecution of a VM on the processor unit 110, the computer system 100includes a set of registers 210 including a first register 212 in whichthe base address of the circular buffer 200 is stored, a second register214 in which the next available address of the circular buffer isstored, a third register 216 in which the starting point of the circularbuffer 200 is stored and a fourth register 218 in which the size 202 ofthe circular buffer 200 is stored. The set of registers 210 may belocated on the respective processor unit 110. Alternatively, the set ofregisters 210 may form part of the cache controller 122. The registers210 also include a thread mask 220, which contains a flag for eachthread being executed by the respective processor unit 110. The threadmask 220 indicates those threads that relate to a virtual machine thatis being backed up. During initialization of the log 200, thereplication manager of the processor element 110 will populate theregisters 212, 214, 216 and 218 and the thread mask 220 with theappropriate values after which execution of the VM(s) on the processorunit 110 may start or resume.

The hardware architecture of the cache controller 122 has been extendedsuch that upon the temporary suspension of a VM by the hypervisor of itsprocessor unit 110 to facilitate the replication of the VM image and inresponse to a signal from the processor unit 110 requesting that thememory addresses in the tags 1212 of the modified cache lines 1214should be made available for replication of the VM image, the cachecontroller 122 is adapted to traverse the cache 120 and inspect the VMimage modification bit flags 1217, and write the memory addresses of thecache lines 1214 and the thread ID 1218 to the log 200 of the cachelines 1214 that have a VM image modification flag 1217 set to true, andto clear the VM modifications flags 1217 once the corresponding memoryaddresses have been written to the log 200.

FIG. 3a shows an arrangement of registers 210 for a processor unit 110that supports four hardware threads in which log records are emitted toa single log 200, with each record being tagged with the thread ID 1218.The per-hardware-thread processor privilege register, which indicateswhether a hardware thread is running in hypervisor mode or not is notshown, as it is present in existing processor implementations. Since theaddress 204 stored in the log 200 is the address of a cache line, anygiven cache line address can be represented in 64 bits with theleast-significant bits spare to contain the thread ID, so a log recordcan be wholly contained within 64 bits. As described above, cast-outs,snoop interventions and cache clean operations will emit all cache lineswith the image modification flag 1217 set to the in-memory log, with thelog 200 containing the thread ID and address of the entry.

When using an alternative mechanism, shown in FIG. 3b , in whichdifferent hardware threads log to different buffers 200, there will beone set of base, producer head, barrier and size registers for eachhardware thread. It is not necessary to use an explicit thread maskregister, since a null value (such as a zero size) can be used in theexisting registers to indicate that backup is disabled for that hardwarethread. Cache lines that fit the criteria (backup enabled for thehardware thread, and not running in hypervisor privileged mode) will bemarked in the cache with the image modification flag 1217 set and thethread ID indicated, and on cast-out, snoop intervention or cache cleanwill be written out to one of four logs, with the destination in memoryidentified by first examining the thread ID associated with that cacheline, and then writing the cache line address to the address specifiedby the producer head register of the appropriate hardware thread.

Under both models, any change to the hardware thread-to-VM assignment(for example scheduling a VM to run on a hardware thread on which it wasnot previously running) would require a cache-clean operation to ensurethat any image modification flag data for the virtual machine that waspreviously running on the hardware thread had been pushed out to the logprior to the switch taking place, and the hypervisor should note atwhich point in the log the virtual machine switched from one to another,so that the processor unit 110 is able to communicate these memorychanges to the secondary host in terms of the virtual machine that hasundergone modification, rather than the hardware thread that caused themodification.

As a further optimization, the cache clean operation could be extendedto only target specific thread IDs, allowing the operation toselectively clean only the cache lines associated with hardware threadsthat are being reassigned to another virtual machine. This would reducethe number of unnecessary log entries that were produced if, forexample, three hardware threads were running code for virtual machine 0,and a fourth running code for virtual machine 1. A reassignment to havethe fourth hardware thread run code for virtual machine 2 only requiresthat cache lines associated with the fourth hardware thread been writtento the in-memory buffer before it can start executing code for virtualmachine 2.

The process of setting the image modification flag 1217 is explained inmore detail with the aid of FIG. 4, which shows a flowchart of anexample embodiment of such an updating method. After starting themethod, the replication manager creates the log in the system memory 140in step 410 and stores the relevant values of the base address, initialaddress (starting point), next available address and log size in theregisters 212, 214, 216 and 218 as previously explained. The thread mask220 is also populated, indicating which threads being executed by theprocessor unit 110 relate to virtual machines being backed up. The cachecontroller 122 subsequently monitors and handles in step 420 accesses tothe cache lines in the line memory 124 of the cache 120 by the processorunit 110 (or any other processor unit).

In addition, the cache controller 122 performs a number of checks instep 420, which checks have been identified in FIG. 4 as steps 420′,420″ and 420′″ respectively. In step 420′, the cache controller 122checks if the cache line access has caused a modification of theaccessed cache line, in which case the cache controller set the flag1216 signaling the cache line as being dirty, as is well-known per se.In case of such a modification of a cache line, the method proceeds fromstep 420′ to step 425, in which the cache controller 122 further checksif such a dirty cache line has been generated during the execution of aVM that is being backed up, via reference to the thread mask 220. Ifthis is the case, the cache controller 122 also sets the VM imagemodification flag 1217 signaling the cache line as being a dirty cacheline belonging to a VM image to be backed up in step 430 beforereturning to step 420. Any hypervisor actions in privilege mode also donot result in the image modification flag 1217 being set.

If the cache access does not lead to the modification of a cache linebut instead causes the eviction of a cache line from the cache 120, aschecked in step 420″, the method proceeds from step 420″ to step 435 inwhich the cache controller 122 checks if a cache line to be evicted fromthe cache 120 is flagged as being modified by the VM, i.e. checks if theVM image modification flag 1217 of the cache line to be evicted is setto true. In case such a modified cache line is evicted from the cache,for example because of a fresh cache line requested by the processorunit 110 forcing the eviction of a modified stale cache line from thecache 120 or because of a further processor unit 110 requesting soleaccess to a modified cache line residing in the cache 120, the cachecontroller 122, for example using the cast-out engine or thesnoop-intervention engine, writes the memory address of the evictedcache line to the log 200 in step 440, to ensure that this modificationis captured in the log 200, after which the method returns to step 420.Obviously, when replacing such a cache line 1214 in the cache 120, itsflags 1215, 1216 and 1217 are cleared or reset to the values that areappropriate for the fresh cache line. In case the cache access requestdoes not involve the eviction of a cache line, it is further checked instep 420′″ if the cache access request is a request to generate a VMcheckpoint. Such a request may originate from the replication manager ofthe processor unit 110 hosting the VM, or alternatively may originatefrom a replication manager of another processor unit responsible forreplicating the changes to the primary VM image during the execution ofthe VM in a secondary VM image. In a particular embodiment, step 420′″occurs periodically, at regular intervals such as every 25 ms, to ensurethat the secondary VM image is regularly updated. Any suitablecheckpoint generation frequency may be chosen.

It is noted for the avoidance of doubt that the checks 420′, 420″ and420′″ are shown as a sequence of steps for the sake of clarity only. Itshould be understood that the cache controller 122 does not have toperform each of these checks to decide what cause of action should betaken next. It is for instance equally feasible that the cachecontroller 122 may immediately recognize that a cache line eviction or aVM image replication is required, in which case the cache controller 122may proceed from step 420 directly to step 435 or step 460 respectively.

Upon detecting the checkpoint generation instruction in step 420′″, thecache controller 122 traverses the cache 120 and inspects in step 460the VM image modification flag 1217 of all cache rows 1210 that comprisesuch a flag. Upon detection of a VM image modification flag 1217 set totrue, the cache controller retrieves the memory address of theassociated cache line 1214 from tag 1212 and writes the retrieved memoryaddress into the log 200 in step 470. To this end, the cache controller122 retrieves the pointer of the next available address in the log 200from the register 214, for example by fetching this pointer orrequesting this pointer from the replication manager of the processorunit 110.

At this point, the pointer in register 214 will need updating to ensurethat no memory addresses are overwritten. The pointer may be updated bythe cache controller 122 or alternatively by the replication manager orthe hypervisor, of the processor unit 110, although the latterimplementation may negatively impact on the performance of thehypervisor in case cache lines are frequently expelled, which is thecase in most operating scenarios in which caches are utilized. In aparticular embodiment, this updating step comprises moving the pointerforward by offsetting the pointer presently stored in the register 214with the size of the stored memory address and writing this offset valuein the register 214.

It is furthermore necessary to check if the next available address inthe log 200 to be stored in register 214 should be wrapped around to thebase address. In an embodiment, the cache controller 122 or thereplication manager of the processor unit 110 will check if the nextavailable address equals the base address+size of the log 200 as thisindicates that the boundary of the address range of the log 200 in thesystem memory 140 has been reached, and will set, i.e. wrap around, thenext available address to the base address if this is the case.

After completing step 470, the cache controller 122 subsequently resetsthe VM image modification flag to false in step 480. Step 480 may beexecuted at any suitable point in time, for example after each writeaction to the log 200, or after all write actions to the log 200 havebeen completed.

At this point, it is reiterated that any suitable cache architecture maybe used for the cache 120. It is known per se that such architecturesmay include different types of caches, such as a combination of awrite-through cache and one or more write-back caches. A write-throughcache retains data in the cache and at the same time, synchronously,pushes the data into a next level of the cache. This provides fastaccess times for subsequent reads of the cache lines 1214 by theprocessor unit 110 at the cost of slower write actions, as the writerhas to wait for the acknowledgement that the write action has beencompleted in the (slower) next level cache. By definition, awrite-through cache does not contain dirty cache lines, as the cachelines are ‘cleaned up’ in one of the next level caches. Hence, where anembodiment of the present invention includes a cache architectureincluding a write-through cache, the VM image modification flags 1217may be omitted from the write-through cache and may be added to onlythose caches that can contain dirty cache lines, that is the write-backcaches that do not push modified cache lines to a next level cache butare responsible for managing data coherency between caches and memory140 as a consequence. Step 460 is typically applied to all caches in thecache architecture that have cache rows 1210 containing the VM imagemodification flag 1217, therefore all write-back caches.

At this point, the replication manager may trigger the replication ofthe VM image in memory 140 to another memory location, such as anothermemory or cache, by accessing the log 200, fetching the addresses storedin the log 200, fetching the cache lines stored at the fetched addressesand updating a copy of the VM image in the other memory location withthe fetched cache lines, as previously explained.

It should be understood that the replication manager triggering theflush of the cache line addresses and the subsequent update of thesecondary image of the VM does not have to be the replication manager ofthe processor unit 110 running the VM. In an embodiment, the replicationmanager of another processor unit 110 of the computer system 100 may bein charge of this update process.

Generally, the embodiments in which the processor unit in charge of theVM image update process resides on the same computer system 100 as theprocessor unit 110 running the VM can be seen as embodiments in whichthe modified cache lines are pushed to another memory location. In analternative embodiment, modified cache lines may be pulled from theirprimary memory location by a processor unit on a separate computersystem, such as a processor unit responsible for hosting a secondaryversion of the VM, i.e. a processor unit to which the VM fails over, forexample in case of a hardware failure of the processor unit hosting theprimary VM. In this embodiment (as well as in the embodiment in adifferent processor unit of the computer system hosting the VM is incharge of the VM image replication process), the processor unit 110hosting the VM forwards data relevant to the replication of its VM imagein memory 140 including the values stored in the registers 212, 214, 216and 218 to the replication manager of another processor unit, forexample another processor unit in a different computer system, to allowthis further replication manager to retrieve the altered cache linesusing the addresses in the log 200 as will be explained in more detaillater.

In a particular embodiment, the replication manager is further adaptedto check if the next available address in register 214 is equal to theinitial address stored in register 216 prior to writing a cache lineaddress to the log 200. If the pointers in registers 214 and 216 are thesame, this signals that the log 200 is full and that no furtheraddresses can be written to the log 200 as this would cause some of theaddresses in the log 200 to be overwritten, thus causing incompletereplication of the primary or original VM image to its copy (thesecondary VM image).

If a full log 200 is detected in this manner, the replication managerprevents such a replication error by initiating an immediate failover ofthe primary VM to a secondary VM hosted on another computer system or byinitiating a complete resynchronization of all memory associated withthe primary VM and the secondary VM. It will be understood suchemergency measures are generally undesirable for performance reasons,such that it is important that the replication manager creates a log 200that is large enough to store all cast-out memory addresses during theinterval between the creation of two checkpoints.

Upon writing the memory addresses of the modified cache lines 1214 inthe log 200 in step 470, the method may further comprise the optionalstep of deduplicating addresses in the log 200 to remove multipleinstances of the same address in the log 200. This for instance canoccur if the frequency at which memory addresses are written to the log200 is higher than the frequency at which the memory addresses in thelog 200 are used to update a secondary VM image.

At this point, it is noted that the process of FIG. 4 has been describedassuming that a primary VM is hosted by a single processor unit 110. Itis emphasized that this is by way of non-limiting example only. It isfor instance equally feasible that a VM is hosted by several processorunits 110, for example several microprocessor cores, in which caseseveral logs 200 (one for each core) may be maintained that trackdifferent modifications to the VM image in memory 140. In such ascenario, the optional deduplication step may for instance be performedover all logs 200 such that a memory address occurs only once in thecombined logs 200 to reduce the amount of data that needs to be copiedto the secondary VM during a differential checkpoint generation.

As will be understood by the skilled person, the checkpoint generationmay further require synchronization of other relevant states between theprimary and secondary VMs, for example the state of the CPU, I/Oinvolving disk(s) and network and so on. As such synchronization isknown per se, this has not been described in further detail for the sakeof brevity only.

The flowchart of FIG. 4 describes an example embodiment of a firstoperating mode of a processor unit 110, which may be referred to as aproducer mode in which the processor unit 110 produces the relevant datarequired for the replication of the image of the VM in the memory 140 toa copy of this image in, for example, the memory of another computersystem. A processor unit 110 can also operate in a second operatingmode, in which it does not host a VM but is instead responsible forreplicating the image of a primary VM. This second operating mode may bereferred to as a consumer mode, as a processor unit 110 in this mode isadapted to consume the modified cache lines in the VM image produced bya processor unit 110 executing the VM in its first operation mode orproducer mode.

For instance, a further processor unit 110 of the computer system 100including the processor unit 110 hosting the VM may be responsible forupdating a replica of the VM image in a further location, for example, amemory of another computer system. Alternatively, the processor unit 110hosting the VM may switch between operating modes to assumeresponsibility for updating this replica. In yet another embodiment, aprocessor unit of another computer system, for example the computersystem on which the replica is stored, is responsible for updating thisreplica of the VM image.

The update of the VM image replica ensures that a processor unit 110 ofa computer system 100 storing the replica in its memory can take overexecution of the VM upon a hardware failure in the computer system 100hosting the primary VM, leading to the termination of the execution ofthe primary VM on this system.

In an alternative embodiment, the second operating mode is not aseparate operating mode but forms part of the first operating mode, inwhich case the processor unit 110 responsible for the execution of theprimary VM also is responsible for updating the replica of the VM in thefurther memory location.

It should be understood that in a computer cluster comprising multiplecomputer systems 100, some processor units 110 may be in producer mode(i.e. VM hosting mode) whilst other processor units 110 are in consumermode (i.e. in VM image replication mode). Even a single computer systemin such a cluster may comprise processor units 110 in producer mode aswell as in consumer mode, as previously explained. In an embodiment, thereplication manager, may control whether a processor unit 110 is inproducer mode or consumer mode, for example by setting a hardware flagfor the processor unit 110 such that it can be recognized in which modea processor unit 110 is operating.

FIG. 5 depicts a flow chart of the method steps performed during such asecond operating mode of a processor unit 110. In the consumer mode, aprocessor unit 110, for example the replication manager of the processorunit 110, receives the relevant information from the replication managerof the processor unit 110 in producer mode, such as the contents of theregisters 212, 214, 216 and 218 that will allow the replication managerof the consumer processor unit 110 to access the memory 140 of thecomputer system 100 including the producer processor unit 110. Thereplication manager of the producer processor unit 110 may volunteer therelevant information or may provide the relevant information upon arequest thereto by the replication manager of the consumer processorunit 110. Obviously, in an embodiment where the processor unit 110hosting the VM also acts as the processor unit responsible for updatingthe secondary VM image, the above step may be omitted.

Upon retrieving the relevant information, the consumer processor unit110 retrieves the memory addresses stored in the log 200 created by thereplication manager of the producer processor unit 110 hosting theprimary VM in step 510, and obtains the modified cache lines identifiedby the memory addresses in step 520. To this end, the consumer processorunit may send a data retrieval request over the bus architecture 130.Such requests are noticed by the cache controllers 122 of the computersystem 100, for example by the snoop-intervention engines of the cachecontrollers 122, which will fetch the cache line 1214 from the cache 120if the memory address in the data retrieval request matches a memoryaddress in one of the tags 1212 of the cache rows 1210 of the cache 120.The requesting processor unit 110 will typically await the response froma cache controller 122 of a further processor unit 110 for a definedperiod of time, after which the cache controller 122 of the requestingprocessor unit 110 will fetch the cache line from the memory 140, as anon-response from the other cache controllers 122 will mean that thecache line 1214 no longer resides in cache but has been cast from thecache 120 instead. The handling of such data retrieval requests in acomputer system 100 comprising multiple processor units 110 and caches120 is of course well known per se, and it should be understood that anysuitable data retrieval protocol may be applied without departing fromthe teachings of the present invention.

The consumer processor unit 110 subsequently updates the copy of the VMimage accordingly in step 530 by inserting the obtained modified cacheline 1214 in the appropriate location of the VM image copy. This processis repeated until all addresses have been retrieved from the log 200 aschecked in step 540, after which other state registers, if any, forexample state registers of the CPU as previously explained, may bereplicated as shown in step 550. At this point, the consumer processorunit 110 may signal the producer processor unit 110 hosting the primaryVM that replication is complete, upon which the producer processor unit110 hosting the primary VM, for example its hypervisor, will terminatethe suspension of the primary VM and reinitialize the log 200, resettingone or more of the registers 212, 214 and 216 in the cache managementmodule 122.

It should be immediately apparent to the skilled person that variousmodifications may be possible to the method shown in FIG. 5 withoutdeparting from the teachings of the present invention. For instance, theconsumer processor unit 110 may have permission to deduplicate theaddresses in the log 200 of the producer processor unit 110 hosting theprimary VM prior to retrieving the memory addresses from the log 200 instep 510.

In another embodiment, a processor unit 110 in the second operatingmode, i.e. consumer mode, is adapted to speculatively process the log200 of a processor unit 110 in the first operating mode, i.e. producermode. This embodiment is for instance useful when the consumer processorunit does not trigger the cache controller 122 of the producer processorunit to write the modified cache line addresses to the log 200, forexample in case the producer processor unit hosting the VM periodicallytriggers the update of the log 200. This has the advantage that theduration of the suspension of the primary VM can be further reduced aspart of the log 200 will already have been processed by the consumerprocessor unit 110 when the producer processor unit 110 suspends the VMfollowing the request to generate a checkpoint in step 420′″.

An example flowchart of this embodiment is shown in FIG. 6. In theprocess of FIG. 6, several steps are identical to the method of FIG. 5,and these steps will therefore not be explained again for the sake ofbrevity. In steps 510, 520 and 530 of FIG. 6, the consumer processorunit 110 retrieves a memory address from the log 200 of the processorunit 110 hosting the primary VM, retrieves the data from the memory 140in the computer system 100 of the producer processor unit 110 andupdates the secondary VM image as previously explained. In additionalstep 610, the consumer processor unit 110 invokes the update of theinitial address value of the log 200 as stored in register 216associated with the producer processor unit 110 hosting the primary VM.This may be achieved in any suitable way, for example by providing thereplication manager of the consumer processor unit 110 with writeprivileges to update this register or by the consumer processor unit 110instructing the replication manager of the producer processor element110 to update this register value accordingly.

Step 610 ensures that the available space in the log 200 of theprocessor unit 110 hosting the primary VM is kept up-to-date, as theaddresses already retrieved by the consumer processor unit 110 may beoverwritten, as indicated by the change in the initial address stored inthe register 216 associated with the producer processor unit 110 hostingthe primary VM to the first address in the log 200 not yet processed bythe consumer processor unit 110. This therefore reduces the risk of thelog 200 becoming full prematurely as the capacity of the log 200 iseffectively increased by the speculative processing of the log 200 bythe consumer processor unit 110. When the primary VM becomes suspended,as checked in step 620 and all addresses have been retrieved from thelog 200, the method may proceed to step 550 as previously explained inthe detailed description of FIG. 5.

In an alternative embodiment (not shown), as soon as the primary VMbecomes suspended, step 610 may be omitted from the process of FIG. 6,as it is no longer necessary to update the initial address value of thelog 200 as stored in register 216 associated with the producer processorunit 110 hosting the primary VM, as no further addresses will be writtento the log 200 and the log 200 will be re-initialized prior to thereactivation of the primary VM.

FIG. 7 schematically depicts a computer cluster 700 that comprises aplurality of computer systems 100, which are communicatively coupled toeach other via a network 720. The network 720 may be any suitable datacommunication network, for example a wired or wireless local areanetwork, a wireless or wired wide area network, the Internet and so on.The computer cluster 700 is typically adapted to host a plurality ofvirtual machines on the processor units 110 of the various computersystems 100 to be utilized by the users of the computer cluster 700. Thecomputer cluster 700 benefits from the VM replication principlesdescribed above in that multiple up-to-date or mirror images of a VM maybe generated in the respective memories 140 of at least some of thevarious computer systems 100 such that rapid VM failover can be providedwith little overhead.

It should be understood that in the context of the present invention, acomputer system is to be interpreted as a device that includes acollection of processor elements that can be utilized in unison. Thisdoes not necessarily equate to a single physical entity; it is equallyfeasible that a computer system is distributed over several physicalentities, for example different boxes, or that a single physical entityincludes more than one computer systems, for example several separategroups of processor units.

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct. Accordingly, aspects of the present invention may take the formof an entirely hardware embodiment, an entirely software embodiment(including firmware, resident software, micro-code, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to herein as a “circuit,” “module” or “system.”Furthermore, aspects of the present invention may take the form of acomputer program product embodied in one or more computer readablemedium(s) having computer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thepresent invention may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as Java, Smalltalk, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Aspects of the present invention are described below with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

While particular embodiments of the present invention have beendescribed herein for purposes of illustration, many modifications andchanges will become apparent to those skilled in the art. Accordingly,the appended claims are intended to encompass all such modifications andchanges as fall within the true spirit and scope of this invention.

The invention claimed is:
 1. A method for virtual machine backup in acomputer system, the computer system comprising: a processor unitarranged to run a hypervisor running one or more virtual machines; acache connected to the processor unit and comprising a plurality ofcache rows, each cache row comprising a memory address, a cache line andan image modification flag wherein the image modification flag indicateswhether a virtual machine being backed up has modified the cache line;and a memory connected to the cache and arranged to store an image of atleast one virtual machine; the method comprising: defining a log in thememory; in response to a determination that a cache line has beenmodified, setting, in the cache, a dirty bit flag indicating that thecache line has been modified; in response to a determination that avirtual machine that modified the cache line is being backed up,setting, in the cache, the image modification flag for the cache linemodified by the virtual machine being backed up, wherein the imagemodification flag is not set if the cache line is modified by a virtualmachine not being backed up, and wherein the image modification flag isnot set if the cache line is modified by the hypervisor operating inprivilege mode; periodically checking the image modification flags; andwriting only the memory address of the cache rows flagged with the imagemodification flag in the defined log.
 2. The method of claim 1, andfurther comprising writing the memory address of a flagged cache line inthe defined log upon the eviction of the cache row flagged with theimage modification flag from the cache.
 3. The method of claim 1 furthercomprising updating a backup image of a virtual machine in a differentmemory location by: retrieving the memory addresses from the log;obtaining the modified cache lines using the retrieved memory addresses;updating the backup image with the modified cache lines; and clearingthe image modification flags for cache rows containing the modifiedcache lines.
 4. The method of claim 1, wherein the processor unit isarranged to run multiple execution threads and further comprisingmaintaining a thread mask flagging those threads that relate to one ormore virtual machines being backed up and when setting the imagemodification flag for a cache line modified by a virtual machine beingbacked up, referring to the thread mask to determine whether to set theimage modification flag to for the current cache line being modified. 5.The method of claim 4, wherein each cache row further comprises a threadID indicating which execution thread is responsible for modification ofthe cache line in the respective cache row.